Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems.

Slides:



Advertisements
Similar presentations
Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
Advertisements

Demand-driven inference of loop invariants in a theorem prover
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
JML and ESC/Java2: An Introduction Karl Meinke School of Computer Science and Communication, KTH.
272: Software Engineering Fall 2008 Instructor: Tevfik Bultan Lecture 3: Java Modeling Language and Extended Static Checking.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
ECI 2007: Specification and Verification of Object-Oriented Programs Lecture 2 Courtesy: K. Rustan M. Leino and Wolfram Schulte.
Extended Static Checking for Java Cormac Flanagan Slides courtesy of Rustan Leino.
Avoiding Exponential Explosion: Generating Compact Verification Conditions Cormac Flanagan and James B. Saxe Compaq Systems Research Center With help from.
1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs.
Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs Wolfram Schulte Microsoft Research Formal Methods 2006 Objects, references, heaps,
An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft.
CS294, YelickESC, p1 CS Extended Static Checking
Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
Modular Verification of Multithreaded Software Shaz Qadeer Compaq Systems Research Center Shaz Qadeer Compaq Systems Research Center Joint work with Cormac.
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)
Using data groups to specify and check side effects K. Rustan M. Leino Microsoft Research Arnd Poetzsch-Heffter Universität Kaiserslautern Yunhong Zhou.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
1 A Modular Checker for Multithreaded Programs Cormac Flanagan HP Systems Research Center Joint work with Shaz Qadeer Sanjit A. Seshia.
Well-cooked Spaghetti: Weakest-Precondition of Unstructured Programs Mike Barnett and Rustan Leino Microsoft Research Redmond, WA, USA.
CMPSC 272: Software Engineering Spring 2003 Instructor: Tevfik Bultan Extended Static Checking.
Declaring and Checking Non-null Types in an Object-Oriented Language Authors: Manuel Fahndrich K. Rustan M. Leino OOPSLA’03 Presenter: Alexander Landau.
1 Type Type system for a programming language = –set of types AND – rules that specify how a typed program is allowed to behave Why? –to generate better.
Using data groups to specify and check side effects K. Rustan M. Leino Microsoft Research Arnd Poetzsch-Heffter Universität Kaiserslautern Yunhong Zhou.
Cormac Flanagan University of California, Santa Cruz Hybrid Type Checking.
1/25 Pointer Logic Changki PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure.
Jonathan Kuhn Robin Mange EPFL-SSC Compaq Systems Research Center Flanagan, Leino, Lillibridge, Nelson, Saxe and Stata.
Extended Static Checking for Java or Light-weight formal methods: from objects to components Joint work with Cormac Flanagan, Mark Lillibridge, Greg Nelson,
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
1 Abstraction  Identify important aspects and ignore the details  Permeates software development programming languages are abstractions built on hardware.
Design by Contract in Java Concept and Comparison.
SWE 619 © Paul Ammann Procedural Abstraction and Design by Contract Paul Ammann Information & Software Engineering SWE 619 Software Construction cs.gmu.edu/~pammann/
Extended Static Checking for Java  ESC/Java finds common errors in Java programs: null dereferences, array index bounds errors, type cast errors, race.
Houdini, an annotation assistant for ESC/Java K. Rustan M. Leino Compaq SRC Joint work with Cormac Flanagan K. Rustan M. Leino Compaq SRC Joint work with.
Synthesis, Analysis, and Verification Lecture 05a Lectures: Viktor Kuncak Programs with Data Structures: Assertions for Accesses. Dynamic Allocation.
Applications of extended static checking K. Rustan M. Leino Compaq SRC K. Rustan M. Leino Compaq SRC Systems Research Center Invited talk, SAS’01, Paris,
Today’s Agenda  Quick Review  Continue on JML Formal Methods in Software Engineering1.
CIS 771: Software Specifications Lecture 18: Specifying and Checking Partial Properties of Java Code Copyright , Matt Dwyer, John Hatcliff, and.
© Andrew IrelandDependable Systems Group Static Analysis and Program Proof Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University.
Extended Static Checking for Java or Light-weight formal methods: from objects to components Joint work with Cormac Flanagan, Mark Lillibridge, Greg Nelson,
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata.
SOEN 343 Software Design Section H Fall 2006 Dr Greg Butler
Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 1 Static Checking  note for.
CSSE501 Object-Oriented Development. Chapter 10: Subclasses and Subtypes  In this chapter we will explore the relationships between the two concepts.
Combining Static and Dynamic Reasoning for Bug Detection Yannis Smaragdakis and Christoph Csallner Elnatan Reisner – April 17, 2008.
/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.
ESCJ 14: ESC/Java Project Review Slides March 6th, 1997.
DBC NOTES. Design By Contract l A contract carries mutual obligations and benefits. l The client should only call a routine when the routine’s pre-condition.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 10: Programming Exceptionally.
CSC 520 – Advanced Object Oriented Programming, Fall, 2010 Thursday, September 30 Week 5, Generics and Inheritance Techniques, Meyer Ch. 10 & 16.
Formal Verification – Robust and Efficient Code Lecture 1
© Bertrand Meyer and Yishai Feldman Notice Some of the material is taken from Object-Oriented Software Construction, 2nd edition, by Bertrand Meyer (Prentice.
C++ for Engineers and Scientists Second Edition Chapter 12 Pointers.
Extended Static Checking for Java
Hoare-style program verification
Java Modeling Language (JML)
Assertions References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 4/25/2019.
Presentation transcript:

Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems Research Center

What is “Static Checking”? Annotated Source Code StaticChecker Error:... type systems type systems Error: wrong number of arguments in method call lint lint Error: unreachable code full program verification full program verification Error: qsort does not yield a sorted array

Why not just use testing?  Testing essential but Expensive Expensive Finds errors late Finds errors late Misses errors Misses errors  Static checking and testing complementary

Comparison of Static Checkers Quality 100% Effort fullverification lint typesystems ExtendedStaticChecking Note: Graph is not to scale ESCModula-3 ESCJava

Goals of ESC/Java  Practical static checking  Detect common run-time errors null dereferences null dereferences array bounds array bounds type casts type casts race conditions race conditions deadlocks deadlocks  Modular checking

Non-goals of ESC/Java  Complete functional verification  Completeness May not pass all programs May not pass all programs  Soundness May fail to detect errors May fail to detect errors Error-resistant, not error-proof Error-resistant, not error-proof

Architecture of ESC/Java Method + annotations Verification condition generator Automatic theorem prover Counterexample  x.  y.(x > y ==> … ) Error: index out of bounds on line 218 Background axioms

Input to ESC/Java Method + annotations Verification condition generator Automatic theorem prover Counterexample Background axioms

Modular checking Method body Client Interface check check Client check

Describing interfaces public class Vector { Object[] a; Object[] a; int size; int size; public Object elementAt(int i) public Object elementAt(int i) {... } {... } public Object[] copyToArray() public Object[] copyToArray() {... } {... }} invariant a != null invariant a != null invariant size <= a.length invariant size <= a.length requires 0 <= i && i < size requires 0 <= i && i < size ensures RES != null && RES.length == size ensures RES != null && RES.length == size modifies size, a[0], a[*] modifies size, a[0], a[*]

Input to ESC/Java’s “checking engine”  Method implementation  Interface annotations requires requires ensures ensures modifies modifies invariants invariants

Verification condition generation Method + annotations Verification condition generator Automatic theorem prover Counterexample Background axioms

Verification condition generation  Easy for small languages [Dijkstra]  Much harder for real languages  Object-oriented  Typed  Dynamic allocation  Exceptions  Aliasing  Threads

Verification conditions for real programs Java Guarded command Verification condition x = a[ i++ ]; i0 = i; i = i + 1; assert (LABEL a != null); assert (LABEL 0 <= i0); assert (LABEL i0 < a.length); x = elems[a][i0];  i0.(i0 == i ==> … ) wlp assume preconditions assume invariants assert postconditions assert invariants

Exceptions  Java has exceptions  Add exceptions ( raise and catch ) to guarded command language  Calculate wlp of GC statement with respect to normal and exceptional postconditions

Method overriding  Method in subclass can override method in superclass Must respect interface of overridden method Must respect interface of overridden method Weaker requires clause Weaker requires clause Stronger ensures clause Stronger ensures clause

Verification condition Method + annotations Verification condition generator Automatic theorem prover Counterexample Background axioms

Verification condition  Formula in untyped, first-order predicate calculus equality and function symbols equality and function symbols quantifiers quantifiers arithmetic operations arithmetic operations select and store operations select and store operations Eg.  x.  y.(x > y ==> … ) Eg.  x.  y.(x > y ==> … )

Example verification condition  Verification condition large but “dumb” (IMPLIES (DISTINCT |ecReturn| |L_14.4|) (IMPLIES (AND (EQ |a:2.8|) (EQ |a:2.8| (asField |a:2.8| (array |T_int|))) ( | |T_Bag|)) (EQ (isAllocated |this | alloc)) (NEQ |this | null)) (FORALL (tmp1 |tmp2:21.4| |tmp3:21.6| |m:12.8| |mindex:13.8| |i:14.13| |tmp0:14.28|) (AND (IMPLIES ( |)) (AND (LBLNEG (NEQ (select |a:2.8| |this |) null)) (LBLNEG ( |)))) (IMPLIES ( |)) 1) |MAX_VALUE:3.4.26|) (AND (LBLNEG (NEQ (select |a:2.8| |this |) null)) (LBLNEG ( |)))) (FORALL (|m:17.8|) (IMPLIES (EQ |m:17.8| (select (select elems (select |a:2.8| |this |)) 1)) (FORALL (|i:14.28|) (IMPLIES (AND (EQ |i:14.28| (+ 1 1)) (EQ |bool$false|)) (FORALL (|tmp2:21.4 |) (IMPLIES (EQ |tmp2:21.4 | (select |a:2.8| |this |)) (AND (LBLNEG (NEQ (select |a:2.8| |this |) null)) (LBLNEG ( | (- (select |n:3.6| |this |) 1)) |this |))) (LBLNEG ( | (- (select |n:3.6| |this |) 1)) |this |) (arrayLength (select |a:2.8| |this |)))) (LBLNEG (NEQ |tmp2:21.4 | null)) (LBLNEG ( |))) (LBLNEG (EQ |ecReturn| |ecReturn|))))))))))) (IMPLIES (NOT ( |)) 1) |MAX_VALUE:3.4.26|)) (FORALL (|i:14.28|) (IMPLIES (AND (EQ |i:14.28| (+ 1 1)) (EQ |bool$false|)) (FORALL (|tmp2:21.4 |) (IMPLIES (EQ |tmp2:21.4 | (select |a:2.8| |this |)) (AND (LBLNEG (NEQ (select |a:2.8| |this |) null)) (LBLNEG ( | (- (select |n:3.6| |this |) 1)) |this |))) (LBLNEG ( | (- (select |n:3.6| |this |) 1)) |this |) (arrayLength (select |a:2.8| |this |)))) (LBLNEG (NEQ |tmp2:21.4 | null)) (LBLNEG ( |))) (LBLNEG (EQ |ecReturn| |ecReturn|)))))))))) (IMPLIES (NOT ( |))) (AND (IMPLIES (EQ |L_14.4| |L_14.4|) (FORALL (|tmp2:21.4 |) (IMPLIES (EQ |tmp2:21.4 | (select |a:2.8| |this |)) (AND (LBLNEG (NEQ (select |a:2.8| |this |) null)) (LBLNEG ( | (- (select |n:3.6| |this |) 1)) |this |))) (LBLNEG ( | (- (select |n:3.6| |this |) 1)) |this |) (arrayLength (select |a:2.8| |this |)))) (LBLNEG (NEQ |tmp2:21.4 | null)) (LBLNEG ( |))) (LBLNEG (EQ |ecReturn| |ecReturn|)))))) (IMPLIES (NOT (EQ |L_14.4| |L_14.4|)) (AND (LBLNEG (EQ |L_14.4| |ecReturn|))))))))))

Background axioms Method + annotations Verification condition generator Automatic theorem prover Counterexample Background axioms

 Additional properties of Java that the theorem prover needs to know  A variable of type T always holds a value whose type is a subtype of T  The subtyping relation is reflexive, anti-symmetric, and transitive  new returns an object that is distinct from all existing objects ... lots more...  java.lang.Object has no supertype

Automatic theorem proving Method + annotations Verification condition generator Automatic theorem prover Counterexample Background axioms

Automatic theorem proving  Use Simplify Theorem prover from ESC/Modula-3 Theorem prover from ESC/Modula-3 Accepts formulae in untyped, first-order predicate calculus Accepts formulae in untyped, first-order predicate calculus Attempts to prove or refute Attempts to prove or refute

Automatic theorem proving Verification condition Automatic theorem prover (Simplify) Counterexample  x.  y.(x > y ==> … ) DivergesValid

Handling counterexamples Method + annotations Verification condition generator Automatic theorem prover Counterexample Background axioms

Error message from counterexample Verification condition Automatic theorem prover (Simplify) Counterexample:  x.  y. ( … ( … (LABEL …) …) (LABEL …) …) x417 > 7 … Label: … Error: index out of bounds on line 218

Initial experience  First implementation is done  Run on 30,000+ lines of code (mostly itself)  Caught several errors null dereference, array bounds null dereference, array bounds  Programmer can annotate and check about 300 lines per hour  Looks promising...

Demonstration

ESC/Java Summary  Finds more errors than type checking  Costs less than full verification  Currently working; is being evaluated  Potential as “software reliability metric”  Practical checking based on automatic theorem proving may be possible

Comparison of Static Checkers Quality 100% Effort fullverification lint typesystems decidabilitylimit ExtendedStaticChecking Note: Graph is not to scale

Metrics for Static Checkers  Cost of using the tool  Quality Does it miss errors? Does it give spurious warnings?

Challenges  Automatic theorem proving  Error messages from counterexample  Verification conditions for real programs  Object-oriented  Typed  Dynamic allocation  Exceptions

ESC/Java vs. Testing  Testing essential but Expensive Expensive Finds errors late Finds errors late Misses errors Misses errors  ESC/Java... ?

Background axioms Java Guarded command Verification condition Background axioms wlp

Additional annotations assert assume nowarn axiom

Describing interfaces public Integer[] sum(Integer[] a, Integer[] b); requires a != null && b != null; requires a.length == b.length; ensures RES != null && RES.length == a.length; modifies a[0], b[*];

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.